Moku Privacy Policy

Document version: v1.0 Effective date: 2026-05-27 Last updated: 2026-05-30

1. Who We Are and What This Policy Covers

Moku (operated by Arbor Ray, Inc., "Moku," "we," "our," or "us") is a consumer health-education app that helps you understand your own medical records. You upload documents you already have — lab reports, imaging reports, discharge summaries, visit notes — and we extract structured information, organize it, and generate educational explanations and suggestions for you to discuss with a clinician.

This Privacy Policy describes what we collect, how we use it, who we share it with, how long we keep it, and the rights you have over your information. It applies to your use of the Moku mobile app, web app, and any related services we provide.

If you are uploading records on behalf of another person (a parent, adult child, spouse, or other adult family member you care for), this policy also describes our expectations of you as a caregiver. See Section 8.

2. Our Position on HIPAA

Moku is not a HIPAA covered entity, business associate, or healthcare provider. We do not have a treatment relationship with you, we do not bill insurance, and we do not transmit health information to insurance companies or healthcare providers on your behalf. Under 45 CFR §160.103, the three types of HIPAA covered entities are health plans, health care clearinghouses, and providers who transmit health information in electronic form in connection with covered transactions. Moku is none of these.

These statements describe our relationship with you as a consumer user of Moku. If you encounter Moku through your employer, health plan, or healthcare provider, separate terms govern that relationship — under which Moku may be a HIPAA business associate of that organization. See Section 12 of our Terms of Service.

HIPAA does not directly apply to your use of Moku. Because we handle health information outside HIPAA's scope, our breach-notification obligations are governed by the U.S. Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318) rather than HIPAA's. See Section 10.

HIPAA does not require this of us — we do it anyway. We voluntarily implement the controls a HIPAA covered entity would be required to implement, including:

  • Business Associate Agreements with every vendor that processes your health information on our behalf
  • Encryption of your data in transit (TLS 1.3) and at rest (AES-256) on HIPAA-eligible cloud infrastructure
  • Row-level access controls so that one account's data is isolated from another's
  • Audit logging for sensitive access events, including internal access by our team
  • Minimum-necessary access — only authorized personnel under confidentiality obligations can reach your data, and we keep that group as small as possible
  • Workforce training on privacy and security
  • Defined retention windows, with prompt deletion when retention purposes are exhausted

In several areas we go beyond what HIPAA would require. Three specific practices distinguish Moku from the baseline a HIPAA covered entity would have to meet:

  1. 7-day raw-file deletion. We delete the original PDF or image you uploaded from our active systems 7 days after we finish processing it. HIPAA permits indefinite retention as long as safeguards are in place; we choose not to take that latitude.

  2. De-identification of downstream data. Before any downstream processing — by our extraction pipelines, AI providers, or internal review tooling — we replace direct identifiers in the text we extract from your documents. Full names, full dates of birth, phone numbers, email addresses, mailing addresses, medical record numbers, and Social Security numbers are tokenized (replaced with placeholders like [pt_name], [pt_dob], [pt_phone_1]) so that downstream systems do not see them. Among the identifiers that originate from your medical records, only your first name, year of birth, sex, and the relationship between you and the person whose records you are organizing are retained in identifiable form in our long-lived account database. (Your account email and other account-management data are stored as you would expect for any account-based service; that is account information, not medical-record content.) HIPAA permits identifiable PHI to flow through derived systems under the Privacy and Security Rules; we strip direct identifiers by default.

    When we say data is "de-identified" in this policy, we mean data from which we have removed the direct identifiers listed above. Such data may still include clinical details and the dates of medical events; we do not represent it as de-identified under any specific legal standard (such as the HIPAA Safe Harbor or Expert Determination methods).

  3. Zero Data Retention with our AI providers. Where AI providers offer a Zero Data Retention mode, we contractually require it and enforce it in code. HIPAA requires a BAA with these providers; we require a BAA and ZDR.

3. What Data We Collect

We collect the following categories of information:

  • Documents you upload. Medical records, lab reports, imaging reports, discharge summaries, visit notes, and similar files.
  • Information we extract from your documents. Structured fields and findings derived from your uploads — diagnoses, medications, lab values, dates of service, providers, facilities, and other clinical information.
  • Profile information. What you tell us about each person whose records you are organizing, including first name, year of birth, sex, and the relationship between you and that person (yourself, parent, child, spouse, other).
  • Questions, prompts, and notes. Anything you type into the app, including questions you ask, instructions you give, and any free-text notes you add to a profile (such as conditions, allergies, or reminders).
  • Outputs we generate for you. Summaries, educational explanations, suggested topics to discuss with a clinician, and other content Moku produces from your data.
  • Account information. Your email address, login credentials, account settings, and language preference.
  • Product usage telemetry. Pages viewed, features used, and similar product-usage signals; plus device and browser information needed to operate the product. We do not capture the content of form fields, and URLs containing identifiers are normalized before being recorded.
  • Communications with us. Messages you send to our support team and our responses.
  • Security logs. Login events, access logs, and audit records used to keep your account and data secure.

We do not knowingly collect government identifiers (Social Security numbers, driver's license numbers) directly from you. If a document you upload contains these identifiers in its text, we tokenize them at the OCR step (see Section 2 and Section 7).

4. How We Use Your Information

The short version, in plain language:

  1. We minimize the identifying data we keep. Raw files you upload are deleted within 7 days (see Section 6). From the medical text we extract, we remove direct identifiers — full names, full dates of birth, phone numbers, email addresses, mailing addresses, medical record numbers, and Social Security numbers — before any downstream processing (see Section 2). The only personal identifiers we keep in our account database are your first name, year of birth, sex, and your relationship to the profile subject. (We retain the clinical content and the dates of medical events from your records so the product works — but with the direct identifiers above removed.)
  2. We will never sell your data. Not now. Not ever. We do not share your data with data brokers, and we do not use it for targeted advertising.
  3. We may use data with direct identifiers removed to improve our products. Once direct identifiers have been removed from your data, we may use it to improve Moku's accuracy, evaluate quality, and develop new features. We do not use your data to train third-party AI providers' foundation models (see Section 5).

The longer version: we use the information described in Section 3 to operate Moku and provide you the product, including to:

  • Read the text and images in your documents and turn them into structured medical information
  • Generate educational summaries, explanations, and suggested topics for you to discuss with a clinician
  • Organize your profile so that you and any authorized caregiver can navigate it
  • Let you review what we extracted and provide copies of your data on request
  • Improve the accuracy, reliability, and usefulness of Moku, using data with direct identifiers removed and product-usage telemetry (see Section 7)
  • Respond to your support requests
  • Maintain the security, reliability, and integrity of the product
  • Comply with our legal obligations

We do not use your information for purposes unrelated to providing and improving the product without your separate consent, except as required by law.

5. AI and Third-Party Processing

Moku uses third-party AI providers to power parts of the pipeline. We have selected providers that operate under signed Business Associate Agreements with us and that offer contractual restrictions on data retention and use for training.

Providers we currently use:

  • Google Cloud — for optical character recognition (OCR) on uploaded documents. Google Cloud is BAA-covered.
  • OpenAI — for the reasoning, summarization, and explanation steps that follow OCR. OpenAI is BAA-covered with Zero Data Retention enforced.

We may add or replace providers over time. When we do, we update our sub-processor list (see Section 9). We will not add a category of recipient that meaningfully changes how your data is processed without notifying you and, where required, obtaining your consent.

What is sent to providers, and what is not:

  • For OCR, we send the document itself to the OCR provider because the OCR step requires it.
  • For every other AI step — entity detection, extraction, abstraction, quality evaluation, educational explanations, and suggested topics to discuss with a clinician — we send de-identified structured data (extracted fields, snippets, JSON) rather than the raw document. Direct identifiers are tokenized first (see Section 2).
  • We do not allow AI providers to use your content to train their general-purpose models. Where the provider supports Zero Data Retention, we enforce it.
  • Some providers may temporarily retain inputs and outputs for limited operational, security, abuse-monitoring, debugging, or legal-compliance purposes. We rely on the provider's contractual terms to limit that retention.

We do not use your identifiable health information for external research, advertising, or training of foundation models — ours or anyone else's — without your separate consent.

6. Data Retention

We hold different categories of data for different periods:

  • Original uploaded documents (PDFs, images): deleted from our active systems within 7 days of the time we finish processing them. We retain originals only briefly so we can re-run a step if something goes wrong, and then we delete them.
  • Extracted, de-identified text and structured findings: retained while your account or the relevant profile is active, so that you can keep reviewing what we found and ask follow-up questions. Deleted when you delete the profile or your account.
  • Profile information (first name, year of birth, sex, relationship): retained while your account is active; deleted when you delete the profile or your account.
  • Account information: retained while your account is active; deleted when you close your account.
  • Telemetry: retained for a limited period for product analysis and then aggregated or deleted.
  • Audit logs: retained longer than user data, as required for security and compliance, even after a profile or account is deleted. Audit logs record access events; they do not contain the underlying medical content.
  • Backups: deleted data may persist in encrypted backups for a limited rolling window before being overwritten on backup rotation.
  • AI provider-side retention: governed by the provider's contractual terms with us. See Section 5.
  • Support messages: retained for a limited period to maintain a record of your requests and our responses.

When you delete a profile or your account, we delete active-system copies of the corresponding documents and extracted data within a reasonable period, subject to the backup and audit-log retention above. Deletion of active-system data ends future processing but does not undo processing that has already occurred — for example, content already sent to an AI provider cannot be unsent.

7. How We Protect Your Data

We use a layered set of safeguards, including:

  • Encryption. Your uploaded documents, extracted data, and account information are encrypted in transit (TLS 1.3) and at rest (AES-256) on HIPAA-eligible cloud infrastructure operated by AWS in the United States.
  • De-identification at source. Direct identifiers in the text extracted from your documents are tokenized before any downstream processing (see Section 2).
  • Access controls. Row-level security in our databases isolates one account's data from another's. Only authorized Moku personnel under confidentiality obligations can reach your data, and we work to keep that group as small as possible.
  • Audit logs. Sensitive access events are logged, including internal access by our team.
  • Vendor controls. Contractual Business Associate Agreements with every vendor that processes your health information on our behalf, plus technical configuration that limits retention and prohibits training on your content (see Section 5).
  • Workforce training. Our personnel are trained on privacy, security, and handling of health information.
  • Telemetry minimization. Form-field values are not captured by our product telemetry, and URLs containing identifiers are normalized before being recorded.
  • Incident response. We have procedures for investigating and containing security events, and a process for notifying affected users under the legal regimes described in Section 10.

Limited raw-document access for issue resolution. Within the 7-day window during which we still hold your original uploaded document (see Section 6), an authorized Moku team member may view that original document only if we have identified, or you have reported, an issue with how it was processed — for example, an extraction error. We commit to:

  • Using raw-document access only to diagnose a specific identified or reported issue, and viewing only the portions necessary
  • Restricting raw-document access to a small set of authorized team members under confidentiality obligations
  • Audit-logging every raw-document access, including the team member, timestamp, document identifier, the reason for access, and whether any copy, export, or download occurred

We do not allow casual browsing of uploaded documents. After the 7-day window the document has been deleted from our active systems and is no longer accessible to anyone, including us.

No system is perfectly secure, and we cannot guarantee absolute security. We commit to handling your data with care and to the safeguards above.

8. Caregiver and Proxy Uploads

Moku is designed for use by an adult reviewing their own records or by an adult family caregiver reviewing the records of another adult. The profile subject — the person whose records you are uploading — must be 18 years of age or older. Moku does not support pediatric records.

If you upload records for someone other than yourself, you confirm that you have legal authority — or that person's informed consent — to do so. Examples of legal authority include holding a valid healthcare power of attorney, being a court-appointed guardian for an adult, or acting as the personal representative of an estate.

You are responsible for using the information in Moku appropriately on behalf of that person and for honoring their wishes about how their information is handled. If the person whose records you have uploaded asks you to delete their data, you can do so at any time by deleting that profile.

We may at any time ask you to confirm your authority to upload records for another person.

9. Who We Share Data With

We share data only with the following categories of recipients, and only as needed to provide and improve the product:

  • Cloud hosting and infrastructure providers — to store and process your data
  • AI and model providers — as described in Section 5
  • Error and security monitoring providers — to detect bugs, crashes, and security events
  • Customer support tooling — to respond to your support requests
  • Legal and compliance recipients — when we are legally required to disclose information (for example, in response to a valid subpoena or court order), or when necessary to protect rights, safety, or the integrity of the product

We maintain a current list of the specific sub-processors that handle your data on our behalf. You can request our current sub-processor list by contacting us at the address in Section 16.

We do not sell your data. We do not share it with data brokers. We do not use it for targeted advertising.

10. Breach Notification

Because Moku is not a HIPAA covered entity (see Section 2), our breach-notification obligations are governed by the U.S. Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318), not HIPAA. If we discover a breach of unsecured personally identifiable health information, we will:

  • Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
  • Notify the FTC in accordance with the timing and threshold requirements of 16 CFR §318.5, including the heightened notice requirements that apply when a breach affects 500 or more individuals.
  • Notify prominent media in any state or jurisdiction where 500 or more individuals are affected, at the same time as the individual notice.

We will also comply with any breach-notification obligations imposed by applicable state law, including those listed in Section 11.

11. Your Rights by Jurisdiction

Your rights over your information depend on where you live. The rights described below are in addition to the controls Moku gives every user — you can review what we have extracted, request a copy of your data, delete your profile, and withdraw your consent at any time through the app or by contacting us.

California residents have rights under both the Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act / Privacy Rights Act (CCPA/CPRA), including the right to access, correct, and delete your personal information; the right to limit our use of sensitive personal information; and a private right of action under CMIA for certain violations. We treat health information as sensitive personal information under CPRA.

Washington residents have rights under the My Health My Data Act (RCW 19.373), including the right to confirm whether we are collecting your consumer health data, the right to withdraw consent, the right to delete your consumer health data, and a private right of action. We collect Washington residents' consumer health data only with your prior consent, and we do not sell it.

Nevada residents have rights under SB 370 (consumer health data, codified in NRS 603A), including the right to know what consumer health data we collect and the right to have it deleted. Nevada law generally requires affirmative consent to collect or share consumer health data and written authorization to sell it; we do not sell consumer health data, and where Nevada law requires separate consents for collection and for sharing, we obtain them.

Connecticut residents have rights under the Connecticut Data Privacy Act, including opt-in consent for processing of consumer health data, the right to access and delete, and the right to opt out of targeted advertising and profiling (we do not engage in either with your health data).

Colorado and Texas residents have rights under the Colorado Privacy Act and the Texas Data Privacy and Security Act, including opt-in consent for processing of sensitive personal information, the right to access, correct, and delete, and the right to opt out of certain processing.

Other U.S. states with consumer privacy laws may grant you similar rights. We honor those rights to the extent the laws apply.

European Economic Area, United Kingdom, and Switzerland residents. Moku is currently offered to residents of the United States. We do not actively serve users in the European Economic Area, the United Kingdom, or Switzerland, and we have not designated an Article 27 representative or established the formal transfer mechanisms (such as Standard Contractual Clauses or the EU-U.S. Data Privacy Framework) that EU/UK/Swiss data-protection law would require for routine processing of EU/UK/Swiss residents' personal data. If you access Moku from one of these jurisdictions, you do so at your own initiative and you understand that your data will be processed in the United States under U.S. law.

To exercise any of these rights, contact us at the address in Section 16. We will respond within the timeframes required by applicable law.

12. Children's Privacy

Moku is for adults only. Both the account holder and the profile subject (the person whose records are being uploaded) must be at least 18 years old. We do not knowingly collect personal information from individuals under 18, and we do not allow records belonging to individuals under 18 to be uploaded to a Moku profile — by the user themselves or by a caregiver acting on their behalf.

If we learn that we have collected personal information from a person under 18 or that pediatric records have been uploaded in violation of this policy, we will delete that information promptly and may restrict the account. If you believe we have collected such information, contact us at the address in Section 16.

13. International Data Transfers

Moku is operated from the United States, and the cloud infrastructure that stores and processes your data is located in the United States. We do not currently offer Moku in jurisdictions outside the United States, and we use region-based access controls intended to block access from the European Economic Area, the United Kingdom, Switzerland, mainland China, Hong Kong, and Macau. If you access Moku from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States, which may have different data-protection laws than your country of residence. See Section 11 (European Economic Area, United Kingdom, and Switzerland) for jurisdiction-specific considerations.

14. Changes to This Policy

We may update this Privacy Policy. When we make a material change, we will:

  • Bump the Document version at the top of this page and update the Last updated date
  • Notify you in the app or by email before the change takes effect, where the change is material to how we handle your information
  • Keep a record of prior versions and material changes in our version history

Your continued use of Moku after a change takes effect constitutes your acceptance of the revised policy. If you do not agree with a change, you may close your account before it takes effect.

15. Version History

  • v1.0 — 2026-05-27 — Initial general-availability Privacy Policy. Supersedes the prior waitlist-era Privacy Policy and the v1.0-alpha Data Use, Privacy & Product Safety Acknowledgement.

16. Contact Us

If you have questions about this Privacy Policy or your information, or to exercise any of the rights described above, contact us at:

Moku (Arbor Ray, Inc.) Email: info@mokuhealth.ai

We aim to respond to all privacy inquiries within the timeframes required by applicable law and, in any event, without undue delay.